Executives from Apple and Google urged the federal government to tighten rules in its proposed lawful access legislation to avoid creating vulnerabilities in their products, arguing so-called “backdoors” into encrypted data systems could be exploited by cyber criminals.
Bill C-22 would lead to the creation of regulations requiring “core” telecommunications providers to create “capabilities” for law enforcement to access information, and for the retention of user metadata for up to one year. Ministerial orders could then be given to other providers without judicial oversight.
Although the government has said the bill is “encryption neutral” and that it won’t push providers to create a “systemic vulnerability,” the companies added to the growing chorus of concerns that the legislation as written — including the definition of a “systemic vulnerability” — is broad enough that encryption could still be at risk.
“Speaking as an engineer, we do not know of a way to deploy encryption technology that provides access only for the good guys without creating new ways for the bad guys to break in,” Erik Neuenchwander, Apple’s senior director of user privacy and child safety, told the House of Commons public safety committee.
“In other words, when you build a backdoor into an encrypted device, anyone can walk through.”
Get daily National news
Get daily Canada news delivered to your inbox so you’ll never miss the day’s top stories.
He pointed to the 2024 Salt Typhoon cyberattack on U.S. government systems that exploited access points created under that country’s own lawful access bill.
“That law was narrower than Bill C-22,” he said. “So imagine what could happen if more companies were required to create these vulnerabilities.”
Jeanette Patell, the director of government affairs and public policy at Google Canada, said the bill as written “goes well beyond lawful access regimes in other G7 democracies, and risks creating new surveillance infrastructure that would introduce serious security vulnerabilities, undermine user trust and hinder our ability to innovate and offer pro-privacy technologies.”
The proposed ministerial powers under the bill “could give the government the power to secretly force companies to redesign products, to include invasive surveillance capabilities, and to do so without sufficient safeguards or oversight,” Patell added.
“Ministerial orders are not only alarming, but also unnecessary,” she said. “Canada already has an effective, transparent system where law enforcement can apply to the courts for reasonable assistance orders subject to judicial oversight.”
Both executives said protections around encryption and more specific definitions were necessary for the bill itself, rather than waiting for future regulations to provide that clarity.
The testimony comes after multiple service providers, including VPN operators, have said they would pull out of Canada rather than comply with the legislation if passed as written.
Privacy experts have also raised concerns about potential regulations that would require the retention of metadata — including transmission and location data — saying it raised “unprecedented” privacy and cybersecurity issues.
Those concerns were echoed by federal privacy commissioner Philippe Dufresne and legal experts during Tuesday’s marathon committee hearing prior to the testimony from Apple and Google.
Companies including Meta have raised similar concerns as those companies in testimony to the committee’s study of the bill earlier this month.
More to come…
© 2026 Global News, a division of Corus Entertainment Inc.
